Esc
Process Analysis
Definition
Process Analysis consists of observing a running application process and analyzing it to watch for certain behaviors or conditions which may indicate adversary activity. Analysis can occur inside of the process or through a third-party monitoring application. Examples include monitoring system and privileged calls, monitoring process initiation chains, and memory boundary allocations.
loading...
Technique Subclasses
There are 12 techniques in this category, Process Analysis.
| Name | ID | Definition | Synonyms |
|---|---|---|---|
| Process Analysis | D3-PA | Process Analysis consists of observing a running application process and analyzing it to watch for certain behaviors or conditions which may indicate adversary activity. Analysis can occur inside of the process or through a third-party monitoring application. Examples include monitoring system and privileged calls, monitoring process initiation chains, and memory boundary allocations. | |
| - Indirect Branch Call Analysis | D3-IBCA | Analyzing vendor specific branch call recording in order to detect ROP style attacks. | |
| - Process Code Segment Verification | D3-PCSV | Comparing the "text" or "code" memory segments to a source of truth. | |
| - Process Spawn Analysis | D3-PSA | Analyzing spawn arguments or attributes of a process to detect processes that are unauthorized. | |
| - Database Query String Analysis | D3-DQSA | Analyzing database queries to detect [SQL Injection](https://capec.mitre.org/data/definitions/66.html). | |
| - File Access Pattern Analysis | D3-FAPA | Analyzing the files accessed by a process to identify unauthorized activity. | |
| - File Creation Analysis | D3-FCA | Analyzing the properties of file create system call invocations. | |
| - Process Lineage Analysis | D3-PLA | Identification of suspicious processes executing on an end-point device by examining the ancestry and siblings of a process, and the associated metadata of each node on the tree, such as process execution, duration, and order relative to siblings and ancestors. | Process Tree Analysis |
| - Process Self-Modification Detection | D3-PSMD | Detects processes that modify, change, or replace their own code at runtime. | |
| - Script Execution Analysis | D3-SEA | Analyzing the execution of a script to detect unauthorized user activity. | |
| - Shadow Stack Comparisons | D3-SSC | Comparing a call stack in system memory with a shadow call stack maintained by the processor to determine unauthorized shellcode activity. | |
| - System Call Analysis | D3-SCA | Analyzing system calls to determine whether a process is exhibiting unauthorized behavior. |
loading...
D3FEND™
A knowledge graph of cybersecurity countermeasures